Why was an update of the eIDAS Regulation necessary?

The eIDAS Regulation (electronic Identification, Authentication and Trust Services) was first adopted in 2014 to harmonise the European rules governing electronic identification and trust services – digital services that ensure the integrity, authenticity and legal value of electronic exchanges.

However, the digital landscape has evolved significantly over the past decade. The rise of digital platforms, the widespread use of online procedures and the increase in identity fraud and cyberattacks have highlighted the limitations of the initial framework. Over the same period, the EU has introduced a series of ambitious new laws - among them the GDPR (data protection), the Cybersecurity Act and, more recently, the NIS 2 Directive (cybersecurity) - all imposing more stringent security requirements.

In this environment, eIDAS 2.0, which came into force in May 2024, marks a significant step forward. It aims to strengthen European digital sovereignty and provide secure, unified and interoperable digital identification across the EU.

What new trust services does eIDAS 2.0 introduce?

The original eIDAS Regulation already defined several “trust services” including electronic signatures, electronic seals, time stamps and electronic registered delivery services. These services are designed to ensure the reliability of digital transactions by guaranteeing data integrity, sender authenticity and non-repudiation of exchanges.

eIDAS 2.0 expands the range of trust services to meet today’s digital needs.

  • Qualified electronic archiving service: This service provides the secure receipt, storage, retrieval and deletion of electronic documents and data, ensuring their preservation, readability, integrity, confidentiality and provenance throughout their retention period. 
  • Electronic attestation of attributes: These electronic attestations have the same legal effect as paper-based documents such as diplomas, signature mandates and powers of representation. 
  • Remote qualified electronic signature and seal creation devices: These services allow users to apply a qualified electronic signature online, even if the cryptographic device is hosted remotely, while maintaining a high level of security. eIDAS 2.0 sets out the rules governing the use and management of these remote signing devices.
  • Qualified electronic ledgers: These ledgers certify the origin, integrity and sequence of recorded data, including in technologies such as blockchain, thereby reinforcing trust in traceability solutions.

These new services aim to strengthen digital trust and pave the way for broader automation of secure online procedures. It is within this framework that the European Digital Identity Wallet (EUDI Wallet) takes centre stage, designed to provide secure, centralised access to digital services throughout the EU.

What is the European Digital Identity Wallet and what will it be used for?

The EUDI Wallet is a secure application, issued or recognised by each Member State, enabling any EU citizen to prove their identity online and offline, access digital services or sign documents with legal validity throughout the European Union.

In practical terms, the EUDI Wallet allows individuals to store, manage and share not only personal identification data (such as name, date of birth or national ID number), but also electronic attestations of attributes, for example diplomas, professional certificates or signature mandates. These items are presented only when necessary, and users retain a high degree of control over the data they share.    

The Wallet can be used in a variety of situations, including opening a bank account, enrolling at university, renting a vehicle, filing a tax return or proving that a person is of legal age to access certain services. It therefore serves as a universal digital identifier, interoperable across all EU Member States and recognised by major online platforms, which will be required to accept it. In addition to identification, the EUDI Wallet will also include qualified electronic signature certificates, allowing users to sign contracts or validate transactions remotely.

The challenge for organisations is twofold: ensuring compliance with this new regulatory framework, and securing and maintaining the interoperability of their digital services. Otherwise, they may incur liability or face sanctions.

How does eIDAS 2.0 regulate liability and sanctions for trust service providers?

With eIDAS 2.0, the EU strengthens governance and accountability for trust service providers (TSPs). To enhance the security of digital transactions and increase user trust, the updated regulation introduces a harmonised sanctions regime across the EU. Any provider, whether qualified or not, may now face administrative sanctions of up to 5 million euros or 1% of the group’s global turnover

Legal liability differs depending on the provider’s qualification status. A non-qualified provider is only liable if the complainant can prove fault. By contrast, a qualified provider is presumed liable in the event of a service failure, unless it can demonstrate user negligence. This approach significantly strengthens the credibility of qualified providers while setting a higher level of requirements for them.

What are the next steps in implementing eIDAS 2.0 across the EU?

The adoption of eIDAS 2.0 in May 2024 marks the starting point for an ambitious regulatory and technical project.

The first milestone is the adoption of implementing acts, expected shortly. These acts will set out the applicable technical standards and security requirements for new trust services and the European Digital Identity Wallet in particular. 

At the same time, each Member State must make at least one Wallet available to all its citizens by November 2026. 

To support this roll-out, work has been carried out over the past few years through several pilot consortia (such as Potential and DC4EU), which have been testing large-scale use cases, covering banking identification, electronic signatures, access to public services and organisational identity management.

Trust service providers can already begin preparing, drawing on existing frameworks such as those provided by France’s national cybersecurity agency (ANSSI).

Prepare for eIDAS 2 with LuxTrust

Security and structural compliance have always been central to our approach, allowing us to align with eIDAS 2.0 requirements even before the regulation came into force. This foresight enables us to offer services that are already compliant with the updated framework, including our remote qualified signature solution and our NF 461- and HDS-certified e-archiving system.

Ensure your organisation is ready for the upcoming regulatory changes – contact our experts today to make the most of the opportunities offered by eIDAS 2.0.